[Date Prev][Date Next] [Chronological] [Thread] [Top]

help with set acl



I'm trying to use the set acl to grant read permission to any entry who has the value 'CUNIX_wheel' for the multi-valued attribute 'affiliation' (of type directoryString with caseIgnoreMatch)

I think I have the syntax right, but I'm having a lot of trouble getting it to work. I using 2.3.20

access to *
	by self read
	by anonymous auth
	by set="user/affiliation* & [CUNIX_wheel]" read


here's what happens when I bind as myself and list my afffiliations

/usr/local/CUITopenldap/bin/ldapsearch -h abalone.cc.columbia.edu -p 3451 -Y GSSAPI -LLL uni=phr2101 affiliation
SASL/GSSAPI authentication started
SASL username: phr2101@CC.COLUMBIA.EDU
SASL SSF: 56
SASL installing layers
dn: uni=phr2101,ou=People,o=Columbia University,c=US
affiliation: ACISdialupNet
affiliation: ACISlabUser
.... [edit out long list of affiliations]
affiliation: CUNIX_src
affiliation: CUNIX_staff
affiliation: CUNIX_sy
affiliation: CUNIX_us
affiliation: CUNIX_wheel
... [edit out some affiliations]
affiliation: CUadministrator_IT
affiliation: CUcourse_COMSE6181_001_2005_3
affiliation: CUcourse_COMSE6998_007_2005_1




however when I search for someone else
/usr/local/CUITopenldap/bin/ldapsearch -h abalone.cc.columbia.edu - p 3451 -Y GSSAPI -LLL uni=zg1
SASL/GSSAPI authentication started
SASL username: phr2101@CC.COLUMBIA.EDU
SASL SSF: 56
SASL installing layers



I don't get any results.


The log file shows

=> access_allowed: auth access to "uni=phr2101,ou=People,o=Columbia University,c=US" "uni" requested
=> acl_get: [1] attr uni
=> acl_mask: access to entry "uni=phr2101,ou=People,o=Columbia University,c=US", attr "uni" requested
=> acl_mask: to value by "", (=0)
<= check a_dn_pat: self
<= check a_dn_pat: anonymous
<= acl_mask: [2] applying auth(=xd) (stop)
<= acl_mask: [2] mask: auth(=xd)
=> access_allowed: auth access granted by auth(=xd)
=> access_allowed: search access to "uni=zg1,ou=People,o=Columbia University,c=US" "uni" requested
=> acl_get: [1] attr uni
=> acl_mask: access to entry "uni=zg1,ou=People,o=Columbia University,c=US", attr "uni" requested
=> acl_mask: to value by "uni=phr2101,ou=people,o=columbia university,c=us", (=0)
<= check a_dn_pat: self
<= check a_dn_pat: anonymous
<= check a_set_pat: user/affiliation* & [CUNIX_wheel]
=> bdb_entry_get: found entry: "uni=phr2101,ou=people,o=columbia university,c=us"
<= acl_mask: no more <who> clauses, returning =0 (stop)
=> access_allowed: search access denied by =0



I'm not sure how to interpret these logs, but from what I can tell it finds my entry where it checks the set pattern...



I'm new to sets and have spent some time reading the faq and previous questions, but I'm not sure what I missing.


anyone know what's going on? or have a better way of making my acl?

thanks,

Patrick